Dave Lewis

Elephants On The Lawn

Blog Post created by Dave Lewis Employee on Feb 13, 2015

It is almost a year since I took a wicked tumble down the stairs at YYZ. Between that and reading about numerous data breaches, I am reminded of this article that I wrote about security debt in March 2014.


"Refusing to see the elephants on the lawn" - CSO Online


The other day I was walking through the airport in Toronto. For once I wasn't going to catch a plane or was returning from some place. It was nice. I had a meeting that went well and I was walking back to the car. As I made my way down the stairs I noticed that they were all grey with the exception of one black one. For a split second I thought "why would tha…" and then my brain and foot had a failure to communicate.


My foot slipped and rolled to the point where I felt my ankle actually touching the floor. The pain that shot through my leg was vicious. The next thought that I registered was the crunching noise. I hope that I never hear that again.


There I was crumpled on the floor.


Writhing in pain.


Feeling nauseous.


I was surprised to see that no one stopped to help me. Not a soul. Instead the only souls that I saw were the soles of people's shoes as they stepped over and around me. It was baffling. I counted them. 17 people walked by without even once making eye contact. I wondered if I had suddenly become invisible.


When someone finally did go for help I was struck by the parallel I have seen in information security so many times. A problem exists in some piece of software or say in the perimeter. It is a bad one. But, no one does anything about it. They jam their heads in the sand hoping that no one will notice the elephant that is sitting on the lawn.


Security debt is how far your security is removed from an ideal posture. [ref] It is safe to say that there are many companies that are carrying far more debt load than could ever be considered to be manageable. This should not be the case and yet, here we are.


I worked for one company years ago that had a file transfer application that they had built in house. This thing was an abomination in no uncertain terms. The entire application was designed to use an FTP bounce attack to move files. I spoke to the lead developer about this issue. He was an arrogant man. He countered my inquiries with "well, it doesn't say anywhere in the RFC that we can't do that." After a brief fantasy flashed before my eyes where I was drinking mead from his skull had subsided I decided to speaking with the CIO and others.


I continually ran into roadblocks. No one was willing to speak against this developer. This was a problem. I had to figure out how to raise this issue, along with many others to the senior management in a way that they would not only listen but, hear me.


A second example was that this organization was using a firewall that I had not ever seen in a production environment. To say nothing of the fact that it was dated software. The vendor no longer supported it. I reached out on forums looking for anyone who might have information about these firewalls. Then, three days later I found one of the original developers. He didn't mince words. "Rip those bloody things out ASAP." I indicated that I didn't have any dispute with him on that point. I explained that the company had been relying on security consultant who had been maintaining these firewalls on their behalf for a couple years. "He's an idiot. Break the box to prove your point."


Game on.


This firewall was logging almost nothing. It was set up to allow minimal traffic but, it did zero checking against protocols that were traversing the ports. Example, I was able to set the firewall as a proxy and access ICQ (yes, it was a while ago) this way. I was able to tunnel SSH over other open ports. It went on like this. I brought my findings to management and they seemed unsure even then. The clincher came when the consultant came in during the middle of the night to work on a router. No one knew why he was there. No one new what changes he was making. No one knew why he was charging them for overtime.


BOOM head shot. That was the end of that.


What followed in quick succession was the release of funds to replace the firewalls, intrusion detection system, centralized logging and other projects. Thankfully the new firewalls solved the FTP bounce attack as it wouldn't allow the transaction to run due to the protocol violation. My Schadenfreude was feeling the love.


No one had been willing to pay attention to the problems that they were facing because no one was willing to ask the tough questions. Security was seen as an inconvenience and this was before the days of compliance efforts. These types of problems still exist in organizations today and we have to get better at asking the tough questions.


We have to stop pretending we can't see the elephants on the lawn.